OpenVPN Support Forum

Posted: **Thu May 04, 2017 1:23 pm**

Hi All,

I am running a OpenVPN Server with a two level PKI where the Server and Client certificates come from different CAs:

Code: Select all

       
          Root CA
     |                  |
ServerCA        UserCA   
     |                  |
Server Cert  Client Cert

All is fine using OpenVPN Windows/Linux clients but I am unable to connect using the App neither on Android nor on iOS. I use an embeded ovpn config file that has all three CA certs and the client cert/key, it works flawlessly on the "fat" client. I am pretty sure about the content of the certificate items, if I extract them I can validate the client using openssl and as said it works on the fat client! The log file of the client shows that the server certificate is verified, after that I just see it running into connection timeout.

The keys are all RSA 2048, certs are all signed with SHA256 in case it matters.

This is what the ovpn file looks like:

Code: Select all

remote vpn-entry-01.acme-company.nowhere
remote-cert-tls server
client
proto udp
dev tun
comp-lzo
verb 5

<ca>
-----BEGIN CERTIFICATE----- 
Root CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Server CA, issued by RootCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
User CA, issued by RootCA
</ca>

<cert> 
-----BEGIN CERTIFICATE----- 
The clients certificate, issued by User CA above
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
Clients Key, I tried it with or without password
-----END RSA PRIVATE KEY-----
</key>

Server.log

Code: Select all

VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=DE, DC=Acme, DC=VPN User, DC=External, CN=test.user@acme.com:phone
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

Posted: **Thu May 04, 2017 2:00 pm**

Not being sure what you have done to your PKI, please see this:
https://community.openvpn.net/openvpn/w ... ate_Chains

I am lead to believe that Android and iOS OpenVPN Apps support chains.

Posted: **Fri May 05, 2017 10:10 pm**

It does support chains. A bit. Or at least older chains. The included PolarSSl Version has a bug concerning new, stronger encryption schemes. Same problem is described in my post: viewtopic.php?f=33&t=24003

eidt: my fault. at closer examination, this seems to be a different problem

Posted: **Sat May 06, 2017 6:57 am**

oliwel wrote:Hi All,

I am running a OpenVPN Server with a two level PKI where the Server and Client certificates come from different CAs:
Code: Select all
       
          Root CA
     |                  |
ServerCA        UserCA   
     |                  |
Server Cert  Client Cert

client conf sould contain

Code: Select all

...
<ca>
-----BEGIN CERTIFICATE-----
Server CA, issued by RootCA (the CA which signed the server cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- 
Root CA
-----END CERTIFICATE-----
</ca>
...

server conf sould have

Code: Select all

...
<ca>
-----BEGIN CERTIFICATE-----
User CA, issued by RootCA (the CA which signed clients certs)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- 
Root CA
-----END CERTIFICATE-----
</ca>
...

a chain always starts with the leaf cert , the most specific ... so server/client cert , intermediate ca's , root ca's
in this case , the server has to trust the user cert , and client has to trust the server cert... in some cases you can get away with just the root CA , not sure if it's the same with openvpn.

OpenVPN Support Forum

VERIFY ERROR: depth=0, error=unable to get local issuer certificate

VERIFY ERROR: depth=0, error=unable to get local issuer certificate

Re: VERIFY ERROR: depth=0, error=unable to get local issuer certificate

Re: VERIFY ERROR: depth=0, error=unable to get local issuer certificate

Re: VERIFY ERROR: depth=0, error=unable to get local issuer certificate